CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 5CVE-2020-8654 – EyesOfNetwork - AutoDiscovery Target Command Execution
https://notcve.org/view.php?id=CVE-2020-8654
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field. Se detectó un problema en EyesOfNetwork versión 5.3. Un usuario web autenticado con privilegios suficientes podría abusar del módulo AutoDiscovery para ejecutar comandos arbitrarios de Sistema Operativo por medio del campo target de los archivos /module/module_frame/index.php autodiscovery.php. EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/48169 https://www.exploit-db.com/exploits/48025 http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonweb/issues/50 https://github.com/h4knet/eonrce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 4CVE-2020-8656 – EyesOfNetwork - AutoDiscovery Target Command Execution
https://notcve.org/view.php?id=CVE-2020-8656
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php. Se detectó un problema en EyesOfNetwork versión 5.3. La API de EyesOfNetwork versión 2.4.2 es propensa a una inyección SQL, permitiendo a un atacante no autenticado realizar varias tareas, tales como la omisión de autenticación por medio del campo username para getApiKey en el archivo include/api_functions.php. EyesOfNetwork version 5.3 suffers from code execution and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/48169 https://www.exploit-db.com/exploits/48025 http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonapi/issues/16 https://github.com/h4knet/eonrce • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 18%CPEs: 1EXPL: 2CVE-2020-8657 – EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2020-8657
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. Se detectó un problema en EyesOfNetwork versión 5.3. La instalación utiliza la misma clave de la API (embebida como EONAPI_KEY en el archivo include/api_functions.php para la API versión 2.4.2) por defecto para todas las instalaciones, lo que permite a un atacante calcular y adivinar el token de acceso de administrador. EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. • https://www.exploit-db.com/exploits/48169 http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html https://github.com/EyesOfNetworkCommunity/eonapi/issues/17 https://github.com/h4knet/eonrce • CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2019-14923
https://notcve.org/view.php?id=CVE-2019-14923
EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. EyesOfNetwork versión 5.1, permite la ejecución de comandos remota por medio de metacaracteres de shell en el campo host del archivo module/tool_all/. • https://www.exploit-db.com/exploits/47280 https://www.eyesofnetwork.com/?p=2072 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16000
https://notcve.org/view.php?id=CVE-2017-16000
SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php. Vulnerabilidad de inyección SQL en la interfaz web de EyesOfNetwork (también conocida como eonweb) 5.1-0 permite que administradores autenticados remotos ejecuten comandos SQL arbitrarios mediante el parámetro graph en module/capacity_per_label/index.php. • https://github.com/jsj730sos/cve/blob/master/Eonweb_module_capacity_per_label_index.php-SQL%20injection%20vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •